Key management in a communication network

ABSTRACT

A method and apparatus for key management in a communication network. A Key Management Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

FIELD OF THE INVENTION

The invention relates to the field of key management in a communicationnetwork, and in particular to the field of key management for thepurpose of authentication or secure communication.

BACKGROUND TO THE INVENTION

End to end (e2e) media in a communication network can be protected usinga ticket based key management solution, as described inPCT/SE2007/050927, and illustrated in FIG. 1 herein. In thecommunication network shown, User A 1 can communicate with User B 2 andalso a Key Management Server (KMS) 3. Similarly, User B 2 cancommunicate with User A 1 and the KMS 3. When User A 1 initiates a callto User B 2, User A 1 first sends 51 to the KMS 3 a request for a key tobase security on (the security is used to secure the media or other typeof communication between User A 1 and User B 2) and a ticket for User B2. The KMS 3 sends a response S2 to User A that includes a key and aticket for User B 2. The ticket either contains the key, or it containsa reference to the key which is stored in the KMS. User A then sends S3a message to User B 2 to initiate a communication. This message includesthe ticket that User A previously received from the KMS 3. When User B 2receives the ticket from User A 1, User B 2 sends S4 the ticket to theKMS 3 with a request that the KMS shall resolve (i.e. return the keyassociated with) the ticket. The KMS 3 sends a response S5 to User Bthat includes the key. Once User B 2 has the key, it can receive secureddata from, and transmit data to, User A. The ticket may contain moreinformation than the key itself, such as key life-time, intendedreceiver, usage rules, etc. Another example of a ticket based scheme isthe well-known and widely deployed Kerberos scheme.

A problem with such a system occurs when forking is required. Forkingoccurs when, for example, an INVITE message is directed to severaldevices (simultaneously or sequentially) and the first one to answerpicks up the call. Forking is used to reach a person who has severaldevices and would like to be able to pick up a call on anyone of them.Another situation in which forking may be used is in a manager andsecretary environment. The call is first directed to the secretary, andif the secretary doesn't answer, the manager may pick up the call (orvice versa). If this situation is solved by the use of forking, it meansthat both the manager's and the secretary's phone will ringsimultaneously or first the secretary's and then the manager's phonerings and the first one to pick up the phone picks up the call. WO2005/078988 is concerned with key management between devices belongingto different network or network domains, but does not consider theproblem that arises where a user has several different devices, any oneof which could respond to an INVITE.

The ticket based system doesn't provide an efficient and secure solutionto the forking problem. User A 1 cannot in advance know for certainwhich device will pick up a call, and so it must request a ticketassociated with a key that can be used by any device in a group ofdevices to which the call is forked. This would then mean that eitherall of those devices in the group of devices could send the ticket tothe KMS 3 and receive the key, or the KMS 3 could implement a policythat it only returns a key to one device, for example the device thatfirst requests the key. The first option is inappropriate in manyscenarios. In particular, where accountability is needed, there is arisk that the devices can get infected by malicious software, or severalphysical persons may share the same subscription. The second optionrequires the KMS 3 to maintain state, which is undesirable from theperspective of reliability, storage space and Denial of Service (DoS).The KMS 3 would either have to hold information about all tickets thathave been generated and are valid but which have not been resolved, orit would have to keep a record for the remaining life-times of alltickets submitted for resolution. Setting an appropriate life-time is adifficult issue; it should be as short as possible to minimize thestorage needed by the KMS 3, but it should also be long enough to covercircumstances where a long ticket life is required, such as if a userwishes to resolve tickets for messages left on the user's answeringmachine after coming back from a four-week vacation.

For security reasons it is essential that all the devices that may beincluded in the forking should use different keys. For example, thesecretary should not in general have access to the key used by themanager. A proposed IETF solution (Datagram Transport Layer Security(DTLS) Extension to Establish Keys for Secure Real-time TransportProtocol (SRTP) draft-ietf-avt-dtls-srtp-06.txt) relies on negotiatingthe key in the media plane. Of course, this requires that the call hasbeen established and that the negotiation traffic can and is allowed tobe carried in the media plane. If several of the devices that theforking included negotiate a key, their keys will be different. However,this solution is not easily adaptable to a ticket based key managementsystem. Proposed 3GPP solutions (such as TR 33.828v0.8.0 clause 6.4.5)include letting the terminating device define the key, or use acombination of a key generated on the initiating side and a keygenerated by the terminating device. The proposed solution of having theterminating device generate the key suffers from the problem that eitherthe sender and receiver has to have established shared keying materialalready, or an existing public key infrastructure needs to be in placeto secure the transport of key information from the terminating to theinitiating device.

SUMMARY OF THE INVENTION

It is an object of the invention to provide a ticket based keymanagement solution in scenarios where a user receiving a call orcommunication session may have the invitation to the communicationsession forked to one of a number of devices associated with a useridentity. The keys may be used, for example, to secure communicationbetween devices, or to allow one device to authenticate itself toanother device. According to a first aspect of the invention, there isprovided a method of key management for a first and second device in acommunication network. A Key Management Server (KMS) receives from thefirst device a request for a token associated with a user identity. TheKMS then sends the requested token and a user key associated with theuser to the first device. The KMS then receives the token from a seconddevice, the second device being associated with the user identity. Asecond device key is generated using the user key and a modifyingparameter associated with the second device. The modifying parameter isavailable to the first device for generating the second device key. Thesecond device key is then sent from the KMS to the second device. Thisallows the second device to authenticate itself to the first device, andalternatively or additionally allows the first device to securecommunications to the second device.

As an option, the first device uses the modifying parameter and the userkey to generate the second device key prior to secure communicationbetween the first device and the second device.

The modifying parameter is optionally received at the KMS from thesecond device prior to generating the second device key. Alternatively,the modifying parameter is generated at the KMS prior to generating thesecond device key.

As an option, the modifying parameter is selected from any of apseudo-random number, an identity associated with the terminatingdevice, a Globally Routable UA Uniform Resource Identifier, a NetworkApplication Function-initial key, an IP Multimedia Private Identityassociated with the terminating device and an International MobileSubscriber Identity associated with the terminating device.

The step of generating the second device key optionally includes usingboth the modifying parameter and at least one further parameter. Thefurther parameter is optionally selected from a time stamp, an identityassociated with the first device, an identity associated with the seconddevice, an identity associated with the first user, an identityassociated with the second user, and an identity associated with theKMS, the method further comprising sending an indication of the furtherparameter to the originating device.

Where the invention is required for authentication, the KMS receivesfrom the second device, in addition to the token, an identity parameterrelating to the user's identity, and then uses the identity parameter togenerate the second device key. The second device can then optionallyuse the second device key to generate a Message Authentication Code, andsend the Message Authentication Code to the first device. This enablesthe first device to authenticate the second device using the MessageAuthentication Code and the user's identity.

In cases where the first device and the second devices are each attachedto a different KMS, the token received from the second device isoptionally received via a second KMS, and the second device key isoptionally sent to the second device via the second KMS.

The user identity optionally identifies a single user, a group of users,or any user.

According to a second aspect of the invention, there is provided a KMSfor use in a communication network. A first receiver function isprovided for receiving from a first device a request for a tokenassociated with a user identity. A first transmitting function isprovided for transmitting the token and a user key associated with theuser identity to the first device. A second receiving function isprovided for receiving a message from a second device, the second devicebeing associated with the user identity and the message including thetoken. A processing function is provided to generate a second device keyusing a modifying parameter associated with the second device. A secondtransmitting function is further provided for transmitting the seconddevice key to the second device, the key being usable by the seconddevice to authenticate itself with the first device.

The processing function of the KMS is optionally further arranged toobtain the modifying parameter prior to generating the terminatingdevice key.

According to a third aspect of the invention, there is provided anoriginating device for use in a communication network. The device isprovided with a first transmitting function for sending to a KMS arequest for a user key, and a token associated with a user identity withwhich the device wishes to establish a communication. A first receivingfunction is provided for receiving the user key and the token from theKMS. A second transmitting function is provided for sending to the useridentity a request to establish a communication, the request includingthe token. A second receiving function is provided for receiving amodifying parameter from a second device, the second device beingassociated with the user identity. A processor is provided for using themodifying parameter and the user key to generate a second device key,and a third transmitting function is provided for sending acommunication to the second device, the communication being securedusing the second device key.

According to a fourth aspect of the invention, there is provided aterminating device for use in a communication network. A first receiverfunction is provided for receiving from an originating device a requestto establish a communication. The request includes a token associatedwith a receiving user identity. A first transmitting function isprovided for sending the token to a KMS. A second receiver function isprovided for a terminating device key receiving from the KMS, and athird receiver function is provided for receiving from the originatingdevice a communication secured using the terminating device key.

As an option, the terminating device is provided with a secondtransmitter function for sending to the originating device a modifyingparameter used to generate the terminating device key. Alternatively theterminating device has a processor for obtaining the modifyingparameter.

According to a fifth aspect of the invention, there is provided a methodof key management at an originating device. The method comprises sendinga request to a KMS. The request is for a user key and a token associatedwith a user identity with which the originating device wishes toestablish a communication. The originating device receives the user keyand the token from the KMS, and then sends a request to the user toestablish a communication. The request includes the token. The devicereceives a modifying parameter from a second device that is associatedwith the user identity, and uses the modifying parameter and the userkey to generate a second device key. The originating device can thensend a communication to the second device, the communication beingsecured using the second device key.

According to a sixth aspect of the invention, there is provided a methodof key management for use at a terminating device. The terminatingdevice receives a request from an originating device to establish acommunication. The request includes a token associated with a receivinguser identity. It then sends the token to a KMS and, in response,receives a terminating device key from the KMS. It can then receivecommunications secured using the terminating device key from theoriginating device.

According to a seventh aspect of the invention, there is provided acomputer program which comprises computer readable code means which,when run on a KMS, causes the KMS to behave as a KMS described above inthe second aspect of the invention.

According to an eighth aspect of the invention, there is provided acomputer program product comprising a computer readable medium and acomputer program as described above in the seventh aspect of theinvention, wherein the computer program is stored on the computerreadable medium.

According to a ninth aspect of the invention, there is provided acomputer program, comprising computer readable code means which, whenrun on a device, causes the device to behave as a device as describedabove in the third aspect of the invention.

According to a tenth aspect of the invention, there is provided acomputer program product comprising a computer readable medium and acomputer program as described above in the ninth aspect of theinvention, wherein the computer program is stored on the computerreadable medium.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates schematically in a block diagram the signallingrequired for a ticket based key management solution in a securecommunication procedure;

FIG. 2 illustrates schematically in a block diagram signalling andnetwork architecture according to an embodiment of the invention;

FIG. 3 is a signalling diagram illustrating signalling according to anembodiment of the invention;

FIG. 4 illustrates schematically in a block diagram signalling andnetwork architecture according to a further embodiment of the inventionin which the KMS generates a modifying parameter;

FIG. 5 illustrates schematically in a block diagram signalling andnetwork architecture according to a further embodiment of the inventionin which a modifying parameter is defined via a Generic BootstrappingArchitecture system;

FIG. 6 illustrates schematically in a block diagram signalling andnetwork architecture according to a further embodiment of the inventionin which a modifying parameter is defined using a Globally Routable UAURI;

FIG. 7 is a signalling diagram illustrating signalling according to afurther embodiment of the invention;

FIG. 8 illustrates schematically in a block diagram a Key ManagementServer according to an embodiment of the invention;

FIG. 9 illustrates schematically in a block diagram an originatingdevice according to an embodiment of the invention; and

FIG. 10 illustrates schematically in a block diagram a terminatingdevice according to an embodiment of the invention.

DETAILED DESCRIPTION

The following description assumes that the ticket based solution ofPCT/SE2007/050927 is used. However, a person of skill in the art wouldrealise that the invention described herein is equally applicable toother ticket based systems, e.g. Kerberos, if use cases with forkingwere to be supported. Furthermore, the following description uses theterm INVITE to generically denote a signalling message from anoriginating party to a terminating party, sent for the purpose ofestablishing a media communication session, e.g. VoIP or videotelephony, between the two parties. The signalling protocol used may,for example, be Session Initiation Protocol (SIP).

Referring to FIGS. 2 and 3 herein, Terminal B (User B) 2 sends a ticketwhich was previously received from Terminal A 1 a to the KMS 3 with arequest for a key on which the protection of a communication betweenUser A and User B should be based. The KMS 3 then responds to User B 2with a device-unique key. The information used in the derivation of thedevice unique key can be made available to the KMS 3 in different ways,and must be made available to the Terminal A (User A) 1. According to anembodiment of the invention, the following steps are followed, in whichthe numbering corresponds to the numbering of FIG. 2:

S6. Terminal A 1 a requests a key and a ticket from the KMS 3. Therequest and/or ticket may contain information about the identity of therecipient(s). The recipient may be a single user, an identified group ofusers or any user.

S7. The KMS 3 returns the key and the ticket to User A, using Terminal A1 a. The key is a base key denoted Key. The key, or a reference to acopy of it which is accessible to the KMS 3, is included in the ticket.

S8. Terminal A 1 a sends an INVITE directed to the recipient, User B 2,who uses Terminal B 4. The INVITE includes the ticket. The INVITE isrouted to Terminal B 4.

S9. Terminal B 4 sends the ticket together with an initial parameter tothe KMS 3. The initial parameter may be based on a random value newlygenerated for each request, or it may be generated once and reused for anumber of requests. The initial parameter can additionally oralternatively be based on an identity which is tied to Terminal B 4 orUser B 2 (the identity may be publicly known, in particular it may beknown to Terminal A 1 a). It might also be a private value from which apublic identity for User B 2 can be derived. The communication betweenTerminal B and the KMS should be confidentiality protected, and in somecases also integrity protected.

S10. The KMS 3 derives a modifying parameter using at least the initialparameter, for example by applying a cryptographic function. An exampleof a cryptographic function is a hash function. In this case, themodifying parameter Mod_B=Hash(initial parameter). In some cases, theinitial parameter may be used directly as Mod_B. The KMS 3 then derivesa Terminal B 4 unique key by applying a key derivation function (KDF) onthe modifying parameter and the key Key, Key_B=KDF(Key, Mod_B, otherparameters). Other parameters that may be input to the KDF aretime-stamps, identities associated with Terminal A and/or Terminal B,identities associated with User A 1 and/or User B 2, an identityassociated with the KMS 3 etc. If other parameters are included in theKDF, these must be either implicitly known to Terminal A 1 a andTerminal B or signalled to the Terminal A 1 a and Terminal B 4 (whichcan be done in the same way as the modifying parameter is signalled asdescribed below).

S11. The KMS 3 sends key Key_B and, if necessary, Mod_B, to Terminal B4. This communication should again be protected.

S12. Terminal B 4 sends Mod_B to Terminal A 1 a. Note that Terminal Bcould have sent a response to Terminal A 1 a including the modifyingparameter already in step S9, as the modifying value is a well-definedand publicly known cryptographic function of the initial parameter. Notethat Terminal B may not have to send Mod_B at all in the event thatMod_B is already known by Terminal A, for example if it is sent by theKMS 3 or if it is a value of Terminal B 4 that is known to Terminal A 1a.

S13. User A's terminal, Terminal A 1 a, derives Key_B=KDF(Key, Mod_B,other parameters)

S14. Key_B is used to secure communications with Terminal B 4.

Note that the KDF 3 may have additional or alternative parameters asinput, provided that they can be made available to Terminal A 1 a, andTerminal A 1 a can associated them with the key derivation for TerminalB.

The above embodiment describes Mod_B being created at Terminal B 4. Notethat Mod_B may be created at one of several different nodes. In analternative embodiment of the invention, Mod_B is defined at the KMS 3,as shown in FIG. 4. In this case, the following steps are performed,with the numbering corresponding to the numbering of FIG. 4:

S15. Terminal A 1 a requests a key and a ticket from the KMS 3. Therequest and/or ticket does not have to, but can contain informationabout the identity of the recipient(s).

S16. The KMS 3 returns the key and the ticket to Terminal A 1 a. The keyis a base key denoted Key. The key or a reference to a copy of it storedin the KMS 3 is included in the ticket.

S17. Terminal A 1 a sends an INVITE including the ticket directed to therecipient, User B 2. The INVITE is routed to User B's Terminal B 4.

S18. Terminal B 4 sends the ticket to the KMS 3.

S19. The KMS 3 generates a modifying parameter. The modifying parametercould be generated at random at each request from the device or it couldbe reused for a certain number of requests from a given device. The KMS3 then derives the Terminal B 4 unique key by applying a KDF on themodifying value and the key Key, Key_B=KDF(Key, Mod_B). Note that theKDF may have additional parameters as input provided that they can bemade available to Terminal A 1 a, and Terminal A 1 a can associate themwith the key derivation for Terminal B 4. Parameters that may be inputinclude time-stamps, identities associated with Terminal A and/orTerminal B, identities associated with Terminal A 1 a and/or User B 2,an identity associated with the KMS 3 etc.

S20. The KMS 3 sends key Key_B and Mod_B to Terminal B 4. Thecommunication between Terminal B 4 and the KMS 3 is preferablyprotected.

S21. Terminal B 4 sends Mod_B to Terminal A 1 a. Note that Terminal B 4could not have sent a response to Terminal A including the modifyingvalue already in step S18 unless Terminal B knows that a previously usedMod_B will be used.

S22. Terminal A 1 a derives Key_B=KDF(Key, Mod_B), and uses Key_B forsecure communications with Terminal B 4.

In an alternative embodiment, Mod_B is defined via a GenericBootstrapping Architecture (GBA) system, as illustrated in FIG. 5. Inthis case, the following steps apply, with the following numberingcorresponding to the numbering of FIG. 5:

S23. Terminal A 1 a requests a key and a ticket from the KMS 3. Therequest and/or ticket may contain information about the identity of therecipient(s).

S24. The KMS 3 returns the key and the ticket to Terminal A 1 a. The keyis a base key denoted Key. The key or a reference to a copy of it storedin the KMS 3 is included in the ticket.

S25. Terminal A 1 a sends an INVITE including the ticket directed to therecipient, User B 2. The INVITE is routed to User B's Terminal B 4. Inthis embodiment, Terminal B is an IMS device with a Universal SubscriberIdentity Module (USIM) or IMS Services Identity Module (ISIM).

S26. Terminal B 4 sends the ticket to the KMS 3. The communicationbetween Terminal B 4 and the KMS 3 is protected and the protection isbased on a GBA generated key, e.g. a Pre-Shared Key—Transport LayerSecurity (PSK-TLS). Note that it is not necessary to protect thiscommunication, it is sufficient to transfer the ticket and a validBootstrapping Identity (B-TID) to the KMS 3.

S27. The KMS 3 a generates a modifying parameter. Using existing GBAfunctions, the KMS 3 a, which in this embodiment is a NetworkApplication Function (NAF), can learn the IP Multimedia Private Identity(IMPI)/International Mobile Subscriber Identity (IMSI) of Terminal B 4,or alternatively a NAF-initial key. The IMPI and/or the NAF-initial Keymay be used as a base to generate the modifying value using acryptographic hash. Note that Terminal B 4 can independently alsogenerate the modifying value. The KMS 3 then derives a Terminal B 4unique key by applying a KDF on the modifying value and the key Key,Key_B=KDF(Key, Mod_B).

S28. The KMS 3 sends key Key_B and Mod_B to Terminal B 4. Thecommunication between Terminal B and the KMS should be protected. Thisprotection may be based on a NAF-Key using GBA functions.

S29. Terminal B 4 sends Mod_B to Terminal A 1 a. Note that Terminal B 4could not have sent a response to Terminal A 1 a including the modifyingvalue in step S26.

S30. Terminal A 1 a derives Key_B=KDF(Key, Mod_B), and uses this key tosecure communications with Terminal B 4.

Note that the KDF may have additional parameters as input as long asthey can be made available to Terminal A 1 a, and Terminal A 1 a canassociate them with the key derivation for Terminal B 4.

In a further alternative embodiment, Mod_B is defined via using aGlobally Routable UA URI (GRUU), as illustrated in FIG. 6. In thisembodiment, the following steps apply, with the following numberingcorresponding to the numbering used in FIG. 6:

S31. Terminal A 1 a requests a key and a ticket from the KMS 3. Therequest and/or ticket may include information about the identity of therecipient(s).

S32. The KMS 3 returns the key and the ticket to Terminal A 1 a. The keyis a base key denoted Key. The Key or a reference to a copy of it storedin the KMS is included in the ticket.

S33. Terminal A 1 a sends an INVITE directed to the recipient, User B 2,the INVITE including the ticket. The INVITE is routed to User B'sTerminal B 4. In this embodiment, Terminal B 4 is an IMS device.

S34. Terminal B 4 sends the ticket to the KMS 3 together with its GRUU(which may be permanent or temporary, or initial information from whichthe GRUU can be derived). The communication between Terminal B and theKMS should be protected.

S35. The KMS 3 sets the GRUU as the modifying value, Mod_B. The KMS 3then derives the Terminal B 4 unique key by applying a KDF on themodifying value and the key Key, Key_B=KDF(Key, Mod_B).

S36. The KMS 3 sends key Key_B to Terminal B 4. The communicationbetween Terminal B and the KMS should according to this embodiment beconfidentiality protected and/or the message carrying Key_B may be sentin e.g. a SIP MESSAGE using the GRUU to define the receiver. Thisensures that the result would not reach someone trying to pose as thereal device defined by the used GRUU.

S37. Terminal B 4 sends Mod_B (the GRUU) to Terminal A 1 a. Note thatTerminal B could have sent a response to Terminal A 1 a including themodifying value already in step S34.

S38. Terminal A 1 a derives Key_B=KDF(Key, Mod_B).

As with the other embodiments, the KDF may use additional parameters asinput as long as they can be made available to Terminal A 1 a, andTerminal A 1 a can associate them with the key derivation for Terminal B4.

In a further embodiment, compatible with all of the precedingembodiments, Terminal A 1 a sends to Terminal B 4 a second modifyingparameter Mod_A along with the ticket. Mod_A is generated by User A'sdevice using a random number generator. In this embodiment, Key_B isderived using Mod_A, for example Key_B=KDF (Key, Mod_B, Mod_A) with aKDF having the property that no non-trivial information about Key canfeasibly be derived from Key_B=KDF (Key, Mod_A, Mod_B).

The use of Mod_A allows a ticket to be reused, but for fresh keys to beobtained for each new communication. Terminal A requests a ticket fromthe KMS 3 and can then use it for several calls toward any usersdesignated as recipients in the ticket. For each communication, TerminalA generates a new Mod_A.

A first requirement of the KDF is that no non-trivial information aboutKey can feasibly be derived from KDF(Key, Mod_A, Mod_B). A furtherspecific requirement is that that KDF(Key, Mod_B, Mod_A) should give nonon-trivial information about KDF(Key, Mod_A, Mod_B). This to ensurethat a malicious user cannot interchange the roles of the A and Bmodifiers. Examples of functions that satisfy these requirements aretermed pseudo-random functions.

The above description describes key management for enabling securecommunication between two or more parties. However, in an alternativeembodiment of the invention, a similar method is used to allowauthentication of a device or user. In some circumstances, theoriginator of a communication requires assurances about the identity ofthe terminating party in addition to securing the communication but inother cases this is required even where secure communication is notnecessary. In this embodiment of the invention, a key is derived thatdepends on the user identity, and the key is used to calculate a MessageAuthentication Code (MAC). In the following example, a call directed tothe recipient, User B, is forked, and the Id_Receiver used in the ticketis a public identity associated with User B, Id_B. Each terminalassociated with User B has a private identity associated with User B'spublic identity. The following numbering corresponds to the numbering ofFIG. 7:

S39. Terminal A 1 a sends a request to the KMS 3 for a ticket which isintended to be usable for a given user identity. A given user identitymay identify a single user, an identified group of users or any user.

S40. The KMS 3 returns the ticket and the ticket key, Key to User A. Atypical ticket content is (Id_A, Id_Receiver, Key, . . . ).

S41. Terminal A 1 a sends an INVITE including the ticket directed to therecipient, Terminal B 4 identified by Id_B (in an IMS network, a publicidentifier is used).

S42. Terminal B 4 sends the received ticket to the KMS 3, together witha parameter related to Terminal B's user identity and possibly otherparameters, e.g. an identity, which it wants to use and be visibletowards the caller. The parameter related to Terminal B's identity isdenoted Tld_B and the identity that Terminal B wants to be visible iscalled Vld_B. The KMS 3 must be able to verify that Id_B, Vld_B andTld_B are associated with each other.

S43. The KMS 3 receives the ticket, Tld_B and possibly Vld_B. The KMSverifies that the identity in the ticket, Tld_B and Vld_B areassociated. If no Vld_B was sent from the terminal the KMS selects aVld_B based on ticket or KMS global polices. Then the KMS 3 derives twokeys; a media key and an authentication key. The media key (Key_B_Media)is used to protect media, and the authentication key (Key_B_Auth) isused to create an authentication token. The authentication token is themeans by which user A 1 can subsequently receive assurance about userB's, identity.

For example, the media key is derived using Key_B_Media=KDF_(—)1(Key,Mod_B, other parameters) and the authentication key is derived usingKey_B_Auth=KDF_(—)2(Key, Mod_B, Vld_B, other parameters). Mod_B is arandom value and Vld_B is a public identity of user B. Other parametersmay be included if required, and may designate different sets ofparameters in the two KDFs which may also allow that KDF_(—)1 andKDF_(—)2 can be one and the same function. It is not strictly necessarythat Mod_B is the same for both of the KDFs, but if not then both mustbe signalled to Terminal A 1 a.

In an alternative embodiment, the media key and the authentication keyare identical. In a further embodiment, the KMS 3 delivers a single keyto Terminal B 4 and Terminal B 4 derives a media and an authenticationkey from that base key. Delivering one key from the KMS and performingsome key derivations in the terminal improves signalling efficiency.

In a further embodiment, the KMS 3 derives Key_B_Auth=KDF_(—)2(Key,Mod_B, Vld_B, other parameters), and Terminal B 4 subsequently derivesKey_B_Media=KDF_(—)3(Key_B_Auth, . . . ). This gives stronger keyconfirmation properties as Terminal A 1 a will receive strongerassurance that whoever can produce the right “token” (based onKey_B_Auth) must also be able to deduce Key_B_Media.

S44. The KMS 3 sends the keys to Terminal B 4 together with Mod_B and,if necessary, Vld_B.

S45. Terminal B 4 creates an authentication token by calculating a MACbased on Key_B_Auth. The response signalling from Terminal B 4 toTerminal A 1 a includes the identity used in the key derivations, unlessthis identity is known to User A by other means. The response signallingmust also contain Mod_B. It is therefore appropriate to calculate theMAC using the identity and Mod_B. If necessary, other parameters mayadditionally be used to calculate the MAC.

S46. Terminal B 4 sends Vld_B, Mod_B and the MAC to Terminal A 1 a in aresponse to the INVITE message sent in step S41.

S47. Terminal A 1 a calculates Key_B_Auth and verifies the MAC providedby Terminal B using the calculated Key_B_Auth.

Tickets can be used as a basis for multiple sessions by including also asession modifier Mod_A in the INVITE. In this case, the MAC in theauthentication token should be calculated over previously definedparameters and Mod_A.

Referring to FIG. 8, there is illustrated a KMS 3 according to anembodiment of the invention. Note that whilst the following descriptionrefers to receiving and transmitting functions, these functions may beembodied in single or multiple receivers, transmitters, or transceivers.The KMS 3 is provided with a first receiver function 5 for receiving arequest for a key and a ticket from Terminal A 1 a. A first transmittingfunction 6 is provided for transmitting the key and ticker to Terminal A1 a. A second receiving function 7 is provided for receiving a messagefrom Terminal B 4, the message including the identifier. A processingfunction 8 is used to generate the Terminal B unique key using themodifying parameter associated with the Terminal B. A secondtransmitting function 9 is also provided for transmitting the Terminal Bunique key to Terminal B, the key being usable to secure communicationbetween the originating device and the terminating device. Theprocessing function 8 is further arranged to generate the modifyingparameter prior to generating the terminating device key for theembodiment in which the KMS 3 generates the modifying parameter. The KMS1 is also provided with a computer program product in the form of amemory 11 a used to store a computer program that has instructionsusable by the KMS 1 to perform the functions described above.

Referring to FIG. 9, an originating device 1 a such as that used by UserA 1 is provided with a first transmitting function 10 for sending to aKMS a request for a key and a ticket associated with the identity ofUser B, with whom the originating device wishes to establish acommunication. A first receiving function 11 is arranged to receive fromthe KMS 3 the user key and the identifier. A second transmittingfunction 12 is provided for sending to the User B a request to establisha communication. The request includes the ticket. A second receivingfunction 13 is provided for receiving from Terminal B 4 a modifyingparameter. A processor 14 is arranged to use the received modifyingparameter and the key to generate a Terminal B unique key. A thirdtransmitting function 15 is provided for sending a communication securedusing the Terminal B—unique key to Terminal B. The device 1 a is alsoprovided with a computer program product in the form of a memory 14 aused to store a computer program that has instructions usable by theintermediate node 1 to perform the functions described above.

FIG. 10 illustrates a terminating device such as Terminal B 4. TerminalB 4 is provided with a first receiver function 16 for receiving from anINVITE from Terminal A 1 a, the INVITE including User B's ticket. Afirst transmitting function 17 is provided for sending the ticket to theKMS 3. A second receiver function 18 is provided for the TerminalB-unique key, and a third receiver function 19 receives from Terminal A1 a a communication secured using the Terminal B-unique key. In anembodiment of the invention, Terminal B 4 is provided with a secondtransmitter function 20 for sending the modifying parameter to User A.In the embodiment in which Terminal B 4 generates the modifyingparameter, Terminal B 4 is provided with a processor 21 for generatingthe modifying parameter. Terminal B 4 is also provided with a computerprogram product in the form of a memory 21 a used to store a computerprogram that has instructions usable by the intermediate node 1 toperform the functions described above.

The invention ensures that device-unique keys are generated for devicessubmitting the same ticket to the KMS 3. The keys are not only uniquebetween the two users, but can also be unique for each device.Embodiments of the invention ensure that other devices, using the sameuser subscription, cannot obtain/derive the same key by pretending to beanother device. Keys can be used to authenticate devices and users, andalternatively or additionally to secure communications. Key managementis therefore provided where a user wishes to establish a communicationwith another user but does not know which of the other user's devicesthe communication will be forked to.

Compared to options where the key is generated by the Terminal B alone,there is no need for a Public Key Infrastructure (PKI) nor an alreadyexisting pre-shared key between Terminal A and Terminal B.

It will be appreciated by the person of skill in the art that variousmodifications may be made to the embodiments described above withoutdeparting from the scope of the present invention as defined by theclaims. For example, the description above assumes that all users (e.g.User A 1 and User B 2 of FIG. 2) use the same KMS 3. A person skilled inthe art will appreciate that a different KMS could be used by User A 1and User B 2 by an additional protocol by which the KMS of User B 2 cancommunicate with the KMS of User A 1.

The invention claimed is:
 1. A method of key management at a KeyManagement Server for a first and second device in a communicationnetwork, the method comprising: at the Key Management Server, receivingfrom the first device a request for a token associated with a useridentity; sending the requested token and a user key associated with theuser identity from the Key Management Server to the first device;receiving the token at the Key Management Server from the second device,the second device being associated with the user identity; generating,at the Key Management Server, a second device key using the user key anda modifying parameter associated with the second device, wherein themodifying parameter also is or will be available to the first device forgenerating the second device key from the user key; and sending thesecond device key from the Key Management Server to the second devicefor authentication or secure communication between the first device andthe second device.
 2. The method according to claim 1, furthercomprising, prior to generating the second device key, receiving themodifying parameter from the second device.
 3. The method according toclaim 1, further comprising generating the modifying parameter prior togenerating the second device key.
 4. The method according to claim 1,wherein the modifying parameter is selected from any of a pseudo-randomnumber, the user identity, a Globally Routable User Agent (UA) UniformResource Identifier, a Network Application Function-initial key, an IPMultimedia Private Identity associated with the second device, and anInternational Mobile Subscriber Identity associated with the seconddevice.
 5. The method according to claim 1, wherein generating thesecond device key comprises using the modifying parameter and at leastone further parameter selected from a time stamp, an identity associatedwith the first device, the user identity associated with the seconddevice, an identity associated with a user of the first device, anidentity associated with a user of the second device, and an identityassociated with the Key Management Server, and wherein the methodfurther comprises sending an indication of the further parameter to thefirst device.
 6. The method according to claim 1, further comprisingreceiving at the Key Management Server from the second device, inaddition to the token, an identity parameter relating to the identity ofa user of the second device, and using the identity parameter togenerate the second device key.
 7. The method according to claim 1,wherein the token received from the second device is received via asecond Key Management Server, and the second device key is sent to thesecond device via the second Key management Server.
 8. The methodaccording to claim 1, wherein the user identity identifies one of aparticular user, a group of users, and any user.
 9. The method accordingto claim 1, wherein the token includes either the user key or areference to a copy of the user key.
 10. A Key Management Server for usein a communication network, the Key Management Server comprising: one ormore receivers configured to receive from a first device a request for atoken associated with a user identity; one or more transmittersconfigured to transmit the token and a user key associated with the useridentity to the first device; the one or more receivers furtherconfigured to receive a message from a second device, the second devicebeing associated with the user identity, the message including thetoken; a processor configured to generate a second device key using theuser key and a modifying parameter associated with the second device,wherein the modifying parameter also is or will be available to thefirst device for generating the second device key from the user key; andthe one or more transmitters further configured to transmit the seconddevice key to the second device, the second device key being usable bythe second device for authentication or secure communication with thefirst device.
 11. The Key Management Server according to claim 10,wherein the processor is further configured to obtain the modifyingparameter prior to generating the terminating device key.
 12. The KeyManagement Server according to claim 10, wherein the modifying parameteris selected from any of a pseudo-random number, the user identity, aGlobally Routable User Agent (UA) Uniform Resource Identifier, a NetworkApplication Function-initial key, an IP Multimedia Private Identityassociated with the second device, and an International MobileSubscriber Identity associated with the second device.
 13. The KeyManagement Server according to claim 10, wherein the processor isconfigured to generate the second device key using the modifyingparameter and at least one further parameter selected from a time stamp,an identity associated with the first device, the user identityassociated with the second device, an identity associated with a user ofthe first device, an identity associated with a user of the seconddevice, and an identity associated with the Key Management Server, andwherein the one or more transmitters are further configured to send anindication of the further parameter to the first device.
 14. The KeyManagement Server according to claim 10, wherein the token includeseither the user key or a reference to a copy of the user key.
 15. Anoriginating device for use in a communication network, the originatingdevice comprising: one or more transmitters configured to send to a KeyManagement Server a request for a user key and a token associated with auser identity with which the originating device wishes to establish acommunication, wherein the token includes either the user key or areference to a copy of the user key; one or more receivers configured toreceive from the Key Management Server the user key and the token; theone or more transmitters further configured to send a request toestablish communication to a terminating device associated with the useridentity, the request including the token; the one or more receiversconfigured to receive a modifying parameter from the terminating device;a processor configured to use the modifying parameter and the user keyto generate a terminating device key that is usable by the terminatingdevice for authentication or secure communication with the originatingdevice.
 16. The originating device according to claim 15, wherein theone or more transmitters are further configured to send to theterminating device a communication that is secured using the terminatingdevice key.
 17. A terminating device for use in a communication network,the terminating device comprising: one or more receivers configured toreceive from an originating device a request to establish communication,the request including a token associated with a receiving user identity,wherein the token includes either a user key associated with thereceiving user identity or a reference to a copy of that user key; oneor more transmitters configured to send the token to a Key ManagementServer; the one or more receivers further configured to receive from theKey Management Server a terminating device key; wherein the terminatingdevice is configured to use the terminating device key forauthentication or secure communication with the originating device. 18.The terminating device according to claim 17, wherein the one or moretransmitters are further configured to send to the originating device amodifying parameter used to generate the terminating device key.
 19. Theterminating device according to claim 17, further comprising a processorconfigured to obtain the modifying parameter.
 20. The terminating deviceaccording to claim 17, further comprising a processor configured to usethe terminating device key to generate a Message Authentication Code,and wherein the one or more transmitters are further configured to sendthe Message Authentication Code to the originating device, therebyenabling the originating device to authenticate the terminating deviceusing the Message Authentication Code and the receiving user identity.21. The terminating device according to claim 17, wherein the one ormore receivers are further configured to receive from the originatingdevice a communication secured using the terminating device key.
 22. Amethod of key management at an originating device for use in acommunication network, the method comprising: sending from theoriginating device to a Key Management Server a request for a user keyand a token associated with a user identity with which the originatingdevice wishes to establish communication, wherein the token includeseither the user key or a reference to a copy of the user key; receivingat the originating device the user key and the token from the KeyManagement Server; sending a request to establish communication from theoriginating device to a terminating device associated with the useridentity, the request including the token; receiving a modifyingparameter at the originating device from the terminating device; usingthe modifying parameter and the user key at the originating device togenerate a terminating device key that is usable by the terminatingdevice for authentication or secure communication with the originatingdevice.
 23. The method according to claim 22, further comprising sendingfrom the originating device to the terminating device a communicationsecured using the terminating device key.
 24. A method of key managementat a terminating device for use in a communication network, the methodcomprising: receiving at the terminating device from an originatingdevice a request to establish communication, the request including atoken associated with a receiving user identity, wherein the tokenincludes either a user key associated with the receiving user identityor a reference to a copy of that user key; sending the token from theterminating device to a Key Management Server; receiving at theterminating device from the Key Management Server a terminating devicekey; and using the terminating device key for authentication or securecommunication with the originating device.
 25. The method of claim 24,further comprising using the terminating device key to generate aMessage Authentication Code, and sending the Message Authentication Codeto the originating device, thereby enabling the originating device toauthenticate the terminating device using the Message AuthenticationCode and the user identity.
 26. The method according to claim 24,further comprising receiving at the terminating device from theoriginating device a communication secured using the terminating devicekey.